AI description
CVE-2025-53367 is an out-of-bounds write vulnerability affecting DjVuLibre, a GPL implementation of the DjVu format, in versions prior to 3.5.29. The vulnerability lies within the `MMRDecoder::scanruns` method, which fails to properly validate the bounds of the `xr` pointer, potentially leading to writes beyond the allocated memory buffer. This can result in heap corruption. An out-of-bounds read with `pr` is also possible due to similar boundary checking issues. Successful exploitation of this vulnerability could allow an attacker to craft a malicious DjVu document that triggers heap corruption. This may lead to arbitrary memory writes, potentially enabling remote code execution, system compromise, or application crashes. Version 3.5.29 of DjVuLibre contains a patch that addresses this vulnerability.
- Description
- DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-125
- Hype score
- Not currently trending
CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre https://t.co/nDZXzP6GrE #GitHub #Git https://t.co/FXwth7Zqfi
@lopezunwired
7 Jul 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Linux環境で使用されるDjVu文書形式のデコーダ「DjVuLibre」に深刻な脆弱性(CVE-2025-53367)が発見された。MMRDecoder::scanrunsメソッドにおけるバッファ境界外書き込みが原因で、細工されたDjVuファイル(.pdfに偽装可
@yousukezan
5 Jul 2025
595 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A flaw (CVE-2025-53367, CVSS 8.4) in DjVuLibre allows remote code execution on Linux via out-of-bounds write. PoC is available; patch to v3.5.29 immediately. #DjVuLibre #LinuxSecurity #RCE #Cybersecurity #Vulnerability https://t.co/bMuwK2D2Dj
@the_yellow_fall
5 Jul 2025
271 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
#Linux: #DjVuLibre vulnerability CVE-2025-53367 could be exploited to gain code execution on a Linux Desktop system when the user tries to open a crafted PDF document. The POC works on a fully up-to-date Ubuntu 25.04 (x86_64): 👇 https://t.co/GHDLBY8iab
@securestep9
4 Jul 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-53367: An exploitable out-of-bounds write that works on a fully up-to-date Ubuntu 25.04 https://t.co/4XP7K0juAV
@Nosoynadiemas
3 Jul 2025
1851 Impressions
10 Retweets
30 Likes
19 Bookmarks
1 Reply
0 Quotes
CVE-2025-53367 DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is aff… https://t.co/eyzy7cPV05
@CVEnew
3 Jul 2025
669 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes